GENERAL DATA PROTECTION ACT

GENERAL DATA PROTECTION ACT

It took a long time for GDPR to be finally approved. It came in force on May 25th, 2018.

General Data Protection Regulations (GDPR) is a regulation in the European Union (EU) law which deals with data protection, integrity, and privacy for all individual citizens of the EU.


It focuses on personal data outside the EU. It provides control to individuals in respect of their personal data.

The aim is to simplify the regulatory provisions in order to make it beneficial for the individuals of the country. It took a long time for GDPR to be finally approved. It came in force on May 25th, 2018. Under its provisions, non-compliant organizations can face heavy penalties in case of any breach.
 

The objectives of GDPR are as follows-

  1. It substantially strengthens the rights of citizens so that they can have more control over their personal data and how such information is shared.
  2. It also increases awareness of data regulation.
  3. New rights for EU nationals are provided under this act.
  4. The goal is to create an environment for data privacy.
     

Principles of GDPR
 

1.  Lawfulness- the information and personal data of all the users should be processed only for specific purposes. It should also be clearly mentioned and agreed by the user.

2.  Integrity- the safeguarding of data against unlawful processing by the processors.

3.  Limitation of storage- only such data should be stored which is required to perform the task for which the data is collected. If the data is no longer required then it should be deleted.

4.  The collection of data for specified and legitimate purposes and consent must be obtained from the user regarding it.

5.  Minimization of data- only such data should be collected which will be required in future and analysis should be done in respect of all the data about when it will be required and for what purposes.

6.  Accuracy-The data stored should be accurate and up to date. It should be ensured that the store data can be updated by the users if required.
 


 

Application of GDPR

It is applicable to the processing of personal data by controllers and processors in the EU regardless of whether the data collected is processed in the EU or not.

The two types of data handlers to which this legislation applies are processors and controllers.

A controller can be a person, authority, agency, for any other body which determines the purpose and means of the processing of such personal data.  

On the other hand, a Processor can be a person, public authority that processes such personal data on behalf of the controller.

It has its applicability extended to all such data processing in the EU by any controller or processor not based in the EU. All the businesses not based in the EU are required to appoint a representative in EU to act on behalf of the processor or controller regarding all the compliances. 
 

What does it actually mean to a business?

GDPR aims to establish common law across the entire continent and such a single set of rules and regulations which apply to companies doing any business in EU. It signifies that it is applicable to all the companies based outside EU but having their business transactions with EU.

It can benefit businesses to a great extent. By having a single authority supervising such legislation and can streamline the provisions, its applicability. It will also help the business in reducing the penalties. 

Businesses are encouraged to adopt various techniques like pseudonymization in order to strengthen privacy measures. It is a technique by which it is difficult to identify the original identity of the person to which the personal data belong by using codes, symbols, values, data string which seem to look original but are not. 
 

What does it mean to the consumer or the citizens?

 The following are protected under the provision of GDPR-

  1. The right to be informed;
  2. The right to access;
  3. The right to rectification;
  4. The right to be forgotten;
  5. The right to restrict processing;
  6. The right to data portability;
  7. The right to object;
  8. The right in respect of automated decision making and profiling.
     

Cost of Non-Compliance can go up to- higher of €20 million, or 4% of annual global turnover.
 

Data Protection Officer (DPO)

It is mandatory for processes and controllers to appoint DPO. It should be appointed on the basis of professional qualities and his knowledge of the provisions related to the protection of data and law practices. He should be a staff member or can be an external service provider.

He should also be provided with adequate resources required to carry out the task assigned and his reporting should be direct to the top management. Further, he should not carry out any other than for what he is appointed which can lead to conflict in interest.
 

Challenges for Indian companies in respect to GDPR

1.  The data protection act in India is very weak. The EU is the biggest market for Indian outsourcing and India's weak data protection law will make it less competitive than other market players.

2.  Restriction in cross-border- GDPR is not very flexible and reduces the extent to which businesses can access risk involved and which can allow them to take decisions in respect of transferring data outside the limit of the EU. It can also lead to an increase in the compliance cost of Indian companies in order to deal with all the rules and regulations imposed on data processing & transferring.

3.  High risk of penalties and litigation is there for Indian market players as it is clearly mentioned under GDPR regulation that it is applicable to all the businesses having their operations in the EU irrespective of the fact that they are based in the EU or not, failure of which can lead to heavy penalties.
 

What mitigation measures can be adopted?

  1. A vision and strategy should be developed for compliances with the provision of GDPR.
     
  2. Gaps should be assessed in order to determine what changes should be made in the current program of compliance to make it and par with the required compliance program.
     
  3. The accountability framework should be maintained in order to protect the data.
     
  4. Operational structures should be developed in order to facilitate new compliances.
     
  5. Processes should be created in order to maintain privacy and risk assessment.
     
  6. The risk profile should be reduced by identifying key recommendations.
     
  7. The review should be done on a periodic basis so that it is ensured that the compliance program is in alignment with the change in regulations if any.
     

In India, the second draft of the Personal Data Protection Bill, 2019 was put in the winter session of the Parliament by the Minister of Electronics & IT, Government of India. As of March 2020, the bill is under consideration by the Joint Parliamentary Committee (JPC) for further discussion with the experts and stakeholders in this matter.

It will deal with how personal information is handled by the businesses and various government bodies in India. Also, deal with all the sensitive data that should remain on Indian Territory servers. The electronic data protection in India is given by information technology act and information technology rules along with the Indian Penal Code.

Recently, in India, many Chinese mobile-based apps were banned by the Ministry of Electronics & Information Technology, in order to protect the personal data of all the users based in India which was illegally being stored on servers outside India without consent of users which could also potentially hamper India’s sovereignty, integrity, and defense.
 

EDITED BY SURBHI

Want to get your business journey featured on CLIQTAX ? Send an email to us at editor@cliqtax.com